ImageValidation: Pass build vars to fdf parser by Javagedes · Pull Request #747 · microsoft/mu_basecore

Javagedes · 2024-02-21T22:22:15Z

Description

Updates the ImageValidation plugin to pass the locally (to the DSC) defined variables and the build variables to the fdf parser. The previous implementation only passed the variables defined in the DSC, which is a bug.

This bug currently impacts any platform that actively uses the ImageValidation plugin, and consumes the new crypto binaries in the FDF. In this scenario, SHARED_CRYPTO_PATH is passed to the dsc parser, but not passed to the fdf parser, which results in the fdf parser failing due to paths not existing (as they contain $(SHARED_CRYPTO_PATH))

error example: FileNotFoundError: $(SHARED_CRYPTO_PATH)/Driver/Bin/CryptoDriver.DXE.inc.fdf

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Verified that build variables (such as BLD_*_) that are ultimetely passed to build.py are correctly passed to both the dsc parser and the fdf parser, rather than just the dsc parser, for the ImageValidatio plugin.

Integration Instructions

N/A

codecov-commenter · 2024-02-21T22:42:23Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 1.24%. Comparing base (ab60805) to head (0359bb0).
⚠️ Report is 235 commits behind head on release/202311.

Additional details and impacted files

@@               Coverage Diff               @@
##           release/202311     #747   +/-   ##
===============================================
  Coverage            1.24%    1.24%           
===============================================
  Files                1301     1301           
  Lines              332064   332064           
  Branches             5127     5127           
===============================================
  Hits                 4126     4126           
  Misses             327891   327891           
  Partials               47       47

Flag	Coverage Δ
MdeModulePkg	`0.70% <ø> (ø)`
MdePkg	`5.37% <ø> (ø)`
NetworkPkg	`0.00% <ø> (ø)`
PolicyServicePkg	`30.20% <ø> (ø)`
UnitTestFrameworkPkg	`∅ <ø> (∅)`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Updates the ImageValidation plugin to pass the locally (to the DSC) defined variables and the build variables to the fdf parser. The previous implementation only passed the variables defined in the DSC, which is a bug.

The addition of an PE/COFF image validation build plugin that will verify all pe images against requirements defined in the configuration file. This plugin only runs if a path to a config file is provided via the command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in the PlatformBuild.py file, so that each platform can have their own requirements. Contains: - #340 - #537 - #539 - #747 Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>

The addition of an PE/COFF image validation build plugin that will verify all pe images against requirements defined in the configuration file. This plugin only runs if a path to a config file is provided via the command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in the PlatformBuild.py file, so that each platform can have their own requirements. Previously, ImageValidation was an "opt-in" plugin by setting a build variable `PE_VALIDATION_PATH`, however with this pull request, Image Validation will be on by default, with some default configuration that can be changed with a custom configuration yaml file. The default requirements are: 1. All efi binaries must not be both write and execute 2. All efi binaries must have an image base of 0x0 3. All dxe phase binaries must be 4k section aligned, with the one exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned. compiled binaries that need to be opted out of, can do so by adding an `IGNORE_LIST` in the configuration file ```json { "IGNORE_LIST": ["Shell.efi", "etc"] } ``` In previous iterations, the profile was determined by parsing the makefile, looking for MODULE_TYPE. As each OS / tool chain may use a different makefile type, this was not a reliable method. This updates the plugin to read the INF for the compiled efi file to determine the MODULE_TYPE and thus the profile. The PE parsing functionality was modified to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build. This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit. - Print directory paths considered invalid to aid debugging - Build native OS file paths using os.path.join for walk dirs - Clean up trailing whitespace throughout the file Add gitignore style syntax for file exclusion Contains: - microsoft#340 - microsoft#537 - microsoft#539 - microsoft#747 - microsoft#1100 - microsoft#1127 - microsoft#1142 - microsoft#1140 Confirmed successful execution of the plugin on Windows with QemuQ35 and Ubuntu with QemuSbsa Validated on qemuq35 that the module type was successfully parsed. Validated pipelines build on mu_tiano_platforms - Local build with the plugin - Tested invalid directory printing by adding an invalid arch to `TARGET_ARCH` (so the directory doesn't exist in build output). Ensured existing syntax (filename only) continues to work. Ensured gitignore style syntax now works. Platforms that begin to fail this test will need to generate a configuration yaml file, and set a stuart build variable, `PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's `PlatformBuild.py`. **The Correct Integration** is to evaluate the binary and why it is not meeting the requirements. The platform can elect to update the compilation of the binary to meet the requirements, add or override validation rules for certain MODULE_TYPEs, or simply add the binary to the ignore list. Please review the Plugin's readme.md file for more details on doing any of these things. Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>

The addition of an PE/COFF image validation build plugin that will verify all pe images against requirements defined in the configuration file. This plugin only runs if a path to a config file is provided via the command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in the PlatformBuild.py file, so that each platform can have their own requirements. Previously, ImageValidation was an "opt-in" plugin by setting a build variable `PE_VALIDATION_PATH`, however with this pull request, Image Validation will be on by default, with some default configuration that can be changed with a custom configuration yaml file. The default requirements are: 1. All efi binaries must not be both write and execute 2. All efi binaries must have an image base of 0x0 3. All dxe phase binaries must be 4k section aligned, with the one exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned. compiled binaries that need to be opted out of, can do so by adding an `IGNORE_LIST` in the configuration file ```json { "IGNORE_LIST": ["Shell.efi", "etc"] } ``` In previous iterations, the profile was determined by parsing the makefile, looking for MODULE_TYPE. As each OS / tool chain may use a different makefile type, this was not a reliable method. This updates the plugin to read the INF for the compiled efi file to determine the MODULE_TYPE and thus the profile. The PE parsing functionality was modified to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build. This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit. - Print directory paths considered invalid to aid debugging - Build native OS file paths using os.path.join for walk dirs - Clean up trailing whitespace throughout the file Add gitignore style syntax for file exclusion Contains: - #340 - #537 - #539 - #747 - #1100 - #1127 - #1142 - #1140 Confirmed successful execution of the plugin on Windows with QemuQ35 and Ubuntu with QemuSbsa Validated on qemuq35 that the module type was successfully parsed. Validated pipelines build on mu_tiano_platforms - Local build with the plugin - Tested invalid directory printing by adding an invalid arch to `TARGET_ARCH` (so the directory doesn't exist in build output). Ensured existing syntax (filename only) continues to work. Ensured gitignore style syntax now works. Platforms that begin to fail this test will need to generate a configuration yaml file, and set a stuart build variable, `PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's `PlatformBuild.py`. **The Correct Integration** is to evaluate the binary and why it is not meeting the requirements. The platform can elect to update the compilation of the binary to meet the requirements, add or override validation rules for certain MODULE_TYPEs, or simply add the binary to the ignore list. Please review the Plugin's readme.md file for more details on doing any of these things. Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>

The addition of an PE/COFF image validation build plugin that will verify all pe images against requirements defined in the configuration file. This plugin only runs if a path to a config file is provided via the command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in the PlatformBuild.py file, so that each platform can have their own requirements. Previously, ImageValidation was an "opt-in" plugin by setting a build variable `PE_VALIDATION_PATH`, however with this pull request, Image Validation will be on by default, with some default configuration that can be changed with a custom configuration yaml file. The default requirements are: 1. All efi binaries must not be both write and execute 2. All efi binaries must have an image base of 0x0 3. All dxe phase binaries must be 4k section aligned, with the one exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned. compiled binaries that need to be opted out of, can do so by adding an `IGNORE_LIST` in the configuration file ```json { "IGNORE_LIST": ["Shell.efi", "etc"] } ``` In previous iterations, the profile was determined by parsing the makefile, looking for MODULE_TYPE. As each OS / tool chain may use a different makefile type, this was not a reliable method. This updates the plugin to read the INF for the compiled efi file to determine the MODULE_TYPE and thus the profile. The PE parsing functionality was modified to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build. This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit. - Print directory paths considered invalid to aid debugging - Build native OS file paths using os.path.join for walk dirs - Clean up trailing whitespace throughout the file Add gitignore style syntax for file exclusion Contains: - microsoft#340 - microsoft#537 - microsoft#539 - microsoft#747 - microsoft#1100 - microsoft#1127 - microsoft#1142 - microsoft#1140 Confirmed successful execution of the plugin on Windows with QemuQ35 and Ubuntu with QemuSbsa Validated on qemuq35 that the module type was successfully parsed. Validated pipelines build on mu_tiano_platforms - Local build with the plugin - Tested invalid directory printing by adding an invalid arch to `TARGET_ARCH` (so the directory doesn't exist in build output). Ensured existing syntax (filename only) continues to work. Ensured gitignore style syntax now works. Platforms that begin to fail this test will need to generate a configuration yaml file, and set a stuart build variable, `PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's `PlatformBuild.py`. **The Correct Integration** is to evaluate the binary and why it is not meeting the requirements. The platform can elect to update the compilation of the binary to meet the requirements, add or override validation rules for certain MODULE_TYPEs, or simply add the binary to the ignore list. Please review the Plugin's readme.md file for more details on doing any of these things. Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>

The addition of an PE/COFF image validation build plugin that will verify all pe images against requirements defined in the configuration file. This plugin only runs if a path to a config file is provided via the command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in the PlatformBuild.py file, so that each platform can have their own requirements. Previously, ImageValidation was an "opt-in" plugin by setting a build variable `PE_VALIDATION_PATH`, however with this pull request, Image Validation will be on by default, with some default configuration that can be changed with a custom configuration yaml file. The default requirements are: 1. All efi binaries must not be both write and execute 2. All efi binaries must have an image base of 0x0 3. All dxe phase binaries must be 4k section aligned, with the one exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned. compiled binaries that need to be opted out of, can do so by adding an `IGNORE_LIST` in the configuration file ```json { "IGNORE_LIST": ["Shell.efi", "etc"] } ``` In previous iterations, the profile was determined by parsing the makefile, looking for MODULE_TYPE. As each OS / tool chain may use a different makefile type, this was not a reliable method. This updates the plugin to read the INF for the compiled efi file to determine the MODULE_TYPE and thus the profile. The PE parsing functionality was modified to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build. This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit. - Print directory paths considered invalid to aid debugging - Build native OS file paths using os.path.join for walk dirs - Clean up trailing whitespace throughout the file Add gitignore style syntax for file exclusion Contains: - #340 - #537 - #539 - #747 - #1100 - #1127 - #1142 - #1140 Confirmed successful execution of the plugin on Windows with QemuQ35 and Ubuntu with QemuSbsa Validated on qemuq35 that the module type was successfully parsed. Validated pipelines build on mu_tiano_platforms - Local build with the plugin - Tested invalid directory printing by adding an invalid arch to `TARGET_ARCH` (so the directory doesn't exist in build output). Ensured existing syntax (filename only) continues to work. Ensured gitignore style syntax now works. Platforms that begin to fail this test will need to generate a configuration yaml file, and set a stuart build variable, `PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's `PlatformBuild.py`. **The Correct Integration** is to evaluate the binary and why it is not meeting the requirements. The platform can elect to update the compilation of the binary to meet the requirements, add or override validation rules for certain MODULE_TYPEs, or simply add the binary to the ignore list. Please review the Plugin's readme.md file for more details on doing any of these things. Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>

The addition of an PE/COFF image validation build plugin that will verify all pe images against requirements defined in the configuration file. This plugin only runs if a path to a config file is provided via the command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in the PlatformBuild.py file, so that each platform can have their own requirements. Previously, ImageValidation was an "opt-in" plugin by setting a build variable `PE_VALIDATION_PATH`, however with this pull request, Image Validation will be on by default, with some default configuration that can be changed with a custom configuration yaml file. The default requirements are: 1. All efi binaries must not be both write and execute 2. All efi binaries must have an image base of 0x0 3. All dxe phase binaries must be 4k section aligned, with the one exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned. compiled binaries that need to be opted out of, can do so by adding an `IGNORE_LIST` in the configuration file ```json { "IGNORE_LIST": ["Shell.efi", "etc"] } ``` In previous iterations, the profile was determined by parsing the makefile, looking for MODULE_TYPE. As each OS / tool chain may use a different makefile type, this was not a reliable method. This updates the plugin to read the INF for the compiled efi file to determine the MODULE_TYPE and thus the profile. The PE parsing functionality was modified to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build. This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit. - Print directory paths considered invalid to aid debugging - Build native OS file paths using os.path.join for walk dirs - Clean up trailing whitespace throughout the file Add gitignore style syntax for file exclusion Contains: - microsoft#340 - microsoft#537 - microsoft#539 - microsoft#747 - microsoft#1100 - microsoft#1127 - microsoft#1142 - microsoft#1140 Confirmed successful execution of the plugin on Windows with QemuQ35 and Ubuntu with QemuSbsa Validated on qemuq35 that the module type was successfully parsed. Validated pipelines build on mu_tiano_platforms - Local build with the plugin - Tested invalid directory printing by adding an invalid arch to `TARGET_ARCH` (so the directory doesn't exist in build output). Ensured existing syntax (filename only) continues to work. Ensured gitignore style syntax now works. Platforms that begin to fail this test will need to generate a configuration yaml file, and set a stuart build variable, `PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's `PlatformBuild.py`. **The Correct Integration** is to evaluate the binary and why it is not meeting the requirements. The platform can elect to update the compilation of the binary to meet the requirements, add or override validation rules for certain MODULE_TYPEs, or simply add the binary to the ignore list. Please review the Plugin's readme.md file for more details on doing any of these things. Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>

The addition of an PE/COFF image validation build plugin that will verify all pe images against requirements defined in the configuration file. This plugin only runs if a path to a config file is provided via the command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in the PlatformBuild.py file, so that each platform can have their own requirements. Previously, ImageValidation was an "opt-in" plugin by setting a build variable `PE_VALIDATION_PATH`, however with this pull request, Image Validation will be on by default, with some default configuration that can be changed with a custom configuration yaml file. The default requirements are: 1. All efi binaries must not be both write and execute 2. All efi binaries must have an image base of 0x0 3. All dxe phase binaries must be 4k section aligned, with the one exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned. compiled binaries that need to be opted out of, can do so by adding an `IGNORE_LIST` in the configuration file ```json { "IGNORE_LIST": ["Shell.efi", "etc"] } ``` In previous iterations, the profile was determined by parsing the makefile, looking for MODULE_TYPE. As each OS / tool chain may use a different makefile type, this was not a reliable method. This updates the plugin to read the INF for the compiled efi file to determine the MODULE_TYPE and thus the profile. The PE parsing functionality was modified to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build. This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit. - Print directory paths considered invalid to aid debugging - Build native OS file paths using os.path.join for walk dirs - Clean up trailing whitespace throughout the file Add gitignore style syntax for file exclusion Contains: - #340 - #537 - #539 - #747 - #1100 - #1127 - #1142 - #1140 Confirmed successful execution of the plugin on Windows with QemuQ35 and Ubuntu with QemuSbsa Validated on qemuq35 that the module type was successfully parsed. Validated pipelines build on mu_tiano_platforms - Local build with the plugin - Tested invalid directory printing by adding an invalid arch to `TARGET_ARCH` (so the directory doesn't exist in build output). Ensured existing syntax (filename only) continues to work. Ensured gitignore style syntax now works. Platforms that begin to fail this test will need to generate a configuration yaml file, and set a stuart build variable, `PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's `PlatformBuild.py`. **The Correct Integration** is to evaluate the binary and why it is not meeting the requirements. The platform can elect to update the compilation of the binary to meet the requirements, add or override validation rules for certain MODULE_TYPEs, or simply add the binary to the ignore list. Please review the Plugin's readme.md file for more details on doing any of these things. Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>

github-actions bot added the impact:non-functional Does not have a functional impact label Feb 21, 2024

Javagedes requested review from kenlautner and makubacki February 21, 2024 22:48

kenlautner approved these changes Feb 23, 2024

View reviewed changes

makubacki approved these changes Feb 23, 2024

View reviewed changes

ImageValidation: Pass build vars to fdf parser

0359bb0

Updates the ImageValidation plugin to pass the locally (to the DSC) defined variables and the build variables to the fdf parser. The previous implementation only passed the variables defined in the DSC, which is a bug.

Javagedes merged commit 5219f12 into microsoft:release/202311 Feb 23, 2024

makubacki added the type:bug Something isn't working label Mar 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ImageValidation: Pass build vars to fdf parser#747

ImageValidation: Pass build vars to fdf parser#747
Javagedes merged 1 commit intomicrosoft:release/202311from
Javagedes:image-validation-bugfix

Javagedes commented Feb 21, 2024 •

edited

Loading

Uh oh!

codecov-commenter commented Feb 21, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

Javagedes commented Feb 21, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

How This Was Tested

Integration Instructions

Uh oh!

codecov-commenter commented Feb 21, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Javagedes commented Feb 21, 2024 •

edited

Loading

codecov-commenter commented Feb 21, 2024 •

edited

Loading